On 14/12/2023 17:28, ResSoft wrote:
Chris,
I figured out how to make this work. It works in my dev dox but not in
my prod box. Both have the same version of tomcat. Here is the web.xml entry.
I any ideas would be great.
Those constraints look correct to me and a quick test using
Chris,
I figured out how to make this work. It works in my dev dox but not in
my prod box. Both have the same version of tomcat. Here is the web.xml entry.
I any ideas would be great.
securedapp
/*
CONFIDENTIAL
Chris,
Thanks for the response, but I think I explained myself wrong. The
http redirect to https works when I use just this entry in my web.xml
securedapp
/*
CONFIDENTIAL
But if I want to force http to https and lock the second url pattern from
Kent,
On 12/14/23 09:13, ResSoft wrote:
I am currently forcing my app to use https. Here is what I have in my
app web.xml file and it works as intended
securedapp
/*
CONFIDENTIAL
I also now want to restrict the browser from pulling up files in certain
I am currently forcing my app to use https. Here is what I have in my =
app web.xml file and it works as intended
securedapp
/*
CONFIDENTIAL
I also now want to restrict the browser from pulling up files in certain =
directories. Search the web I see to use the
Jasvant,
On 1/28/22 08:28, Jasvant Singh wrote:
Hi,
I am trying to set up HttpHeaderSecurityFilter for enhancing the security
of my website.
Filter is defined in $TOMCAT_HOME/conf/web.xml as follows:
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
On 28/01/2022 13:28, Jasvant Singh wrote:
The HttpHeaderSecurityFilter works for all URLs except the pattern provided
in setting.
That is expected. Security constraints are applied before the control is
passed to the web application.
Any help is really appreciated.
Is this really an
Hi,
I am trying to set up HttpHeaderSecurityFilter for enhancing the security
of my website.
Filter is defined in $TOMCAT_HOME/conf/web.xml as follows:
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
true
hstsEnabled
t
CVE-2018-8034 Apache Tomcat - Security Constraint Bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.9
Apache Tomcat 8.5.0 to 8.5.31
Apache Tomcat 8.0.0.RC1 to 8.0.52
Apache Tomcat 7.0.35 to 7.0.88
Description:
The host name
CVE-2018-1305 Security constraint annotations applied too late
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.4
Apache Tomcat 8.5.0 to 8.5.27
Apache Tomcat 8.0.0.RC1 to 8.0.49
Apache Tomcat 7.0.0 to 7.0.84
Description:
Security
CVE-2017-7675 Apache Tomcat Security Constraint Bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
Description:
The HTTP/2 implementation bypassed a number of security checks that
prevented
CVE-2017-7675 Apache Tomcat Cache Poisoning
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
Description:
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traver
Marks,
Thanks for the info, originally I was using just index.jsp, but this also
gets blocked with a 403:
index.jsp
I will look into the servlet suggestion.
Cheers Greg
On 19 June 2017 at 10:39, Mark Thomas wrote:
> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security
On Mon, Jun 19, 2017 at 3:09 PM, Mark Thomas wrote:
> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security constrait to block direct access to jsp outside of
> > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
> > using this here?
>
> Your welcome fi
On 19/06/17 08:24, Greg Huber wrote:
> Hello,
>
> If I add a security constrait to block direct access to jsp outside of
> /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
> using this here?
Your welcome file is invalid. It should be a file name without a path.
Remember it
Hello,
If I add a security constrait to block direct access to jsp outside of
/WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
using this here?
No direct JSP access
No-JSP
*.jsp
no-users
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M20
Apache Tomcat 8.5.0 to 8.5.14
Apache Tomcat 8.0.0.RC1 to 8.0.43
Apache Tomcat 7.0.0 to 7.0.77
Earlier, unsupported versions have not been analysed but are likely to
be affected
Descr
On Sun, Jul 6, 2014 at 1:35 PM, Konstantin Kolinko
wrote:
> I think you can inject RemoteAddrFilter into Spring Security filter
> chain (that is if you do not want to configure it separately in
> web.xml),
You are right, I did not think of that.
FWIW this is easily doable using custom filters [1]
2014-07-05 20:00 GMT+04:00 Falco Schwarz :
> On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas wrote:
>> Maybe look at a third party security plugin like Spring Security? Not sure
>> if this is supported but worth a look.
>>
>> Mark
>
> Thanks Mark and Konstantin for your quick replies. I tried to
> a
2014-07-06 13:45 GMT+04:00 Falco Schwarz :
> Konstantin,
>
> On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko
> wrote:
>> You can either perform IP filtering in a Valve (that will be in the
>> pipeline before an Authenticator), or you can remove
>> sec
On 5. Juli 2014 19:04:26 MESZ, Falco Schwarz wrote:
>On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder
> wrote:
>> (Sorry, late to the thread but ...) if you just want to restrict
>access to
>> a resource to localhost, why not os-level e.g. an iptables rule?
>
>Well, the reason behind the restric
Konstantin,
On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko
wrote:
> You can either perform IP filtering in a Valve (that will be in the
> pipeline before an Authenticator), or you can remove
> security-constraint and implement authentication and authorization in
> a filter (such
On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder
wrote:
> (Sorry, late to the thread but ...) if you just want to restrict access to
> a resource to localhost, why not os-level e.g. an iptables rule?
Well, the reason behind the restriction is that I would like to use
tomcats jmxproxy for our prod
On Sat, Jul 5, 2014 at 9:00 AM, Falco Schwarz wrote:
> In the end I found a solution which suits my needs: combining the
> RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
> always prevents access if the client is not localhost.
(Sorry, late to the thread but ...) if you just
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas wrote:
> Maybe look at a third party security plugin like Spring Security? Not sure if
> this is supported but worth a look.
>
> Mark
Thanks Mark and Konstantin for your quick replies. I tried to
accomplish this only using Spring Security and I also g
2014-07-05 11:41 GMT+04:00 Falco Schwarz :
> I should add that the IP restriction is applied via filter, not with a
> tomcat Valve. Essentially the question breaks down to this:
>
> Is it possible in any way for a filter to be applied before the evaluation
> of the security-constrai
On 5 July 2014 08:41:52 BST, Falco Schwarz wrote:
>I should add that the IP restriction is applied via filter, not with a
>tomcat Valve. Essentially the question breaks down to this:
>
>Is it possible in any way for a filter to be applied before the
>evaluation
>of the securi
I should add that the IP restriction is applied via filter, not with a
tomcat Valve. Essentially the question breaks down to this:
Is it possible in any way for a filter to be applied before the evaluation
of the security-constraint? Or is there any other way of setting up an IP
filter combined
All,
I am trying to set up the jmx proxy servlet and am kinda stuck on security.
I would like to:
- restrict access to localhost
- restrict access to require basic authentication
Currently it works, though in the wrong order. This is how the request is
being processed right now:
1) user accesse
Ok.
Thank you.
--
[Adrián Córdoba]
2011/7/22 André Warnier
> Adrián Córdoba wrote:
>
>> André:
>> This is in my URL bar of Chrome or Firefox:
>> http://localhost/Andromeda
>>
>> Ok. That, *and* the fact that you have a single VirtualHost, explains why
> it works, and explains the log en
Adrián Córdoba wrote:
André:
This is in my URL bar of Chrome or Firefox:
http://localhost/Andromeda
Ok. That, *and* the fact that you have a single VirtualHost, explains why it works, and
explains the log entries.
But it works *only* because you have a single VirtualHost, and in Apache
André:
This is in my URL bar of Chrome or Firefox:
http://localhost/Andromeda
Thank you.
--
[Adrián Córdoba]
2011/7/22 André Warnier
> Adrián Córdoba wrote:
>
>> André:
>> 1- So how come the requests are made to the host "localhost" ?
>> I think this is so, because .
>> 2- Is this
Adrián Córdoba wrote:
André:
1- So how come the requests are made to the host "localhost" ?
I think this is so, because .
2- Is this the one and only VirtualHost in Apache ?
This is the only virtual host.
How do you enter a URL in the browser, to access this ?
(paste an example)
Best re
André:
1- So how come the requests are made to the host "localhost" ?
I think this is so, because .
2- Is this the one and only VirtualHost in Apache ?
This is the only virtual host.
Best regards
--
[Adrián Córdoba]
2011/7/22 André Warnier
> Adrián Córdoba wrote:
>
>> Well...
>> 1- I dele
Igor:
mod_jk log file is configured, but nothing relevant is loged.
Thank you.
--
[Adrián Córdoba]
2011/7/21 Igor Cicimov
> Configure a mod_jk log file and see whats going on there
>
> On Jul 22, 2011 10:37 AM, "Adrián Córdoba" wrote:
>
> Well...
> 1- I delete the "Directory" section from
Adrián Córdoba wrote:
Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the content is served by Tomcat. But I have the same problem: I
cannot view the content of pro
Configure a mod_jk log file and see whats going on there
On Jul 22, 2011 10:37 AM, "Adrián Córdoba" wrote:
Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the cont
Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the content is served by Tomcat. But I have the same problem: I
cannot view the content of protected section of my web
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Adrián,
On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
Thank you, André. I know this "Warning", but I want to serve static
content with Apache web server and dynamic content with Tomcat.
You can still do that without setti
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Adrián,
On 7/21/2011 4:09 PM, Adrián Córdoba wrote:
> So, how to serve dynamic content with Tomcat and static one with
> Apache, all in the same web application, in secure way? Can you show
> me that or tell me a link to learn it?
At least three ways
Thank you, Chris... I appreciate your tips.
So, how to serve dynamic content with Tomcat and static one with Apache, all
in the same web application, in secure way? Can you show me that or tell me
a link to learn it?
Now, users and passwords are in tomcat-users.xml file.
When I get home, I'll try s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Adrián,
On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
> Thank you, André. I know this "Warning", but I want to serve static
> content with Apache web server and dynamic content with Tomcat.
You can still do that without setting the DocumentRoot to your
Thank you, André.
I know this "Warning", but I want to serve static content with Apache web
server and dynamic content with Tomcat. (The web application contains only
links to other pages in the same application. It is a test application to
learn.)
In those conditions, with those settings, if an u
Addendum :
This, which I missed earlier, is of course also a no-no, for the same reasons as explained
earlier :
DocumentRoot /opt/apache-tomcat-7.0.12/webapps/
see the remark in red here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
André Warnier wrote:
Adrián Córdoba wrote
Adrián Córdoba wrote:
...
JkMount /Andromeda/* worker1
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
-
...
May be, I have a configuration mistake.
Yes, a big one above.
Wethe
doesn't
work (only the content within security-constraint) if I use an URL to
Apache.
Platform is OpenSuse 11.4.
4- Details:
*Application structure*:
Andromeda/WebContent/index.jsp (entry page)
Andromeda/WebContent/admin/login.jsp
Andromeda/WebContent/admin/login-error.jsp
Andromeda/WebContent/int
Adrián Córdoba wrote:
Hi!
I have a very simple web application
(JSP<http://www.coderanch.com/forums/f-50/JSP> based),
deployed on Tomcat webapps directory with a security constraint in order to
protect an internal directory. Tomcat (7.0.12) is running behind Apache
(2.2.17) web server
From: Adrián Córdoba [mailto:adr.cord...@gmail.com]
Sent: Thursday, July 21, 2011 11:25 AM
To: users@tomcat.apache.org
Subject: Tomcat behind Apache and security-constraint
Hi!
If I try to access to some file within internal directory, directly in Tomcat
(*http://localhost:8080/...*), username and p
2011/7/21 Adrián Córdoba :
> *a blank page is displayed on Firefox navigator*.
Do you have ROOT webapp deployed on your Tomcat?
What is shown in access logs (in Tomcat one and in Apache HTTPD one)?
I hope that you have them configured.
Best regards,
Konstantin Kolinko
--
Hi!
I have a very simple web application
(JSP<http://www.coderanch.com/forums/f-50/JSP> based),
deployed on Tomcat webapps directory with a security constraint in order to
protect an internal directory. Tomcat (7.0.12) is running behind Apache
(2.2.17) web server (httpd).
If I try to acc
On 5/17/2011 5:46 AM, Mark Thomas wrote:
CVE-2011-1582 Apache Tomcat security constraint bypass
Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-1582 Apache Tomcat security constraint bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.12-7.0.13
- - Earlier versions are not affected
Description:
An error in the fixes for CVE-2011
CVE-2011-1183 Apache Tomcat security constraint bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected
Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-1088 Apache Tomcat security constraint bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.10
- - Earlier versions are not affected
Description:
When a web application was started
> From: Mats Eklund [mailto:mats.ekl...@yahoo.com]
> Subject: security-constraint in web.xml - order/priority
>
> If I have more than one security-constraint tags in my web.xml (some
> with, some without auth-constraints), which one takes precedence for a
> specific reques
Hi,
If I have more than one security-constraint tags in my web.xml (some with, some
without auth-constraints), which one takes precedence for a specific request?
Thanks,
Mats
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert,
On 3/8/2010 1:31 PM, Robert Jacobson wrote:
> I managed to figure out a way to do it using a jdbc resource and
> sql:query and sql:update tags in a couple JSP files.
Yuck :(
> Well, the code works wonderfully when I don't have any security
>
Chuck wrote:
Not sure what else is going on, but the above is incorrect for your webapp - the
context name is *not* part of the .
Oops! You're right of course. Thank you! I'm a little confused as to
why having an incorrect url-pattern would cause the SQL to fail.
About the realm-name --
> From: Robert Jacobson [mailto:vvnxbdd...@snkmail.com]
> Subject: Adding security constraint breaks sql functionality
>
> --- BEGIN web.xml for /changepass
>
>
>
>
> changepass Web
> /changepass/*
Not sure what else is going on, but the abov
Hi,
I'm running Tomcat 6.0.20 on Windows 2003 Server, with JRE 1.6.0_14.
I have a working Tomcat configuration using MySQL authentication to access to
ROOT webapp. I'm using DataSourceRealm just like the one in the Tomcat docs
(http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joe,
On 1/4/2010 6:45 PM, Joe Hansen wrote:
> I just forgot to enable the HTTPS Connector! Login form is working now
> over https.
>
> redirectPort="8443" />
>
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol
e: Help with security-constraint in web.xml
>>
>> However, when I enter the login credentials and submit the
>> form, nothing happens. Somehow changing the redirectPort
>> seems to have broken the login form.
>
> Turn on the AccessLogValve to see what's reaching Tomc
> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
> Subject: Re: Help with security-constraint in web.xml
>
> However, when I enter the login credentials and submit the
> form, nothing happens. Somehow changing the redirectPort
> seems to have broken the login form.
Turn on
the login form.
I'm sure there must be a simple explanation. Chuck, please help me out!!
Thank you,
Joe
On Mon, Jan 4, 2010 at 3:25 PM, Caldarale, Charles R
wrote:
>> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
>> Subject: Re: Help with security-constraint in web.xml
&g
> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
> Subject: Re: Help with security-constraint in web.xml
>
> Only a couple of pages need to be served on HTTPS on our website. All
> the remaining pages could be accessed using just HTTP.
Then I'd use what you've got and
Chuck,
>> No, I said you could handle the SSL encryption/decryption in httpd; the
>> redirection still has to occur by Tomcat recognizing a reference to a
>> confidential resource.
I did configure the SSL on the httpd end
(c:\Apache\conf\extra\httpd-ssl.conf) file.
>> As far as how to do so, y
> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
> Subject: Re: Help with security-constraint in web.xml
>
> You were saying that I should handle the forced HTTPS redirection of
> certain pages on the httpd end, right?
No, I said you could handle the SSL encryption/decryptio
es on the httpd end, right? Can you please elaborate on how
to do it or give me pointers on how it could be done?
Thank you!!
Joe
On Mon, Jan 4, 2010 at 2:57 PM, Caldarale, Charles R
wrote:
>> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
>> Subject: Help with security-cons
> From: Joe Hansen [mailto:joe.hansen...@gmail.com]
> Subject: Help with security-constraint in web.xml
>
> What do I need to do so that the user is directed to
> https://ourwebsite.com/spring_security_login instead
Fix the redirectPort attribute in your elements in conf/server.x
Hey all,
We are using Tomcat 6.0 / Apache 2.2. We would like the user to login
over HTTPS rather than plain HTTP.
So, I have defined the following security-constraint in the web.xml
file of our web application:
Login
Login
On 06/11/2009 00:29, Pivo wrote:
Caldarale, Charles R wrote:
From: Piavlo [mailto:lolitus...@gmail.com]
Subject: Re: howto setup url security constraint with parameters?
The problem is that does not work for user dirs
defined with org.apache.catalina.startup.UserConfig
Sounds like a bug
Pivo wrote:
Caldarale, Charles R wrote:
From: Piavlo [mailto:lolitus...@gmail.com]
Subject: Re: howto setup url security constraint with parameters?
The problem is that does not work for user dirs
defined with org.apache.catalina.startup.UserConfig
Sounds like a bug, but I haven&#
Caldarale, Charles R wrote:
>> From: Piavlo [mailto:lolitus...@gmail.com]
>> Subject: Re: howto setup url security constraint with parameters?
>>
>> The problem is that does not work for user dirs
>> defined with org.apache.catalina.startup.UserConfig
>>
> From: André Warnier [mailto:a...@ice-sa.com]
> Subject: Re: Security Constraint conflict
>
> I suggest that the Servlet Spec be revised by a German engineer, to the
> effect that everything not specifically allowed is forbidden.
Or we could try the quantum physics interpretati
Caldarale, Charles R wrote:
From: Pid [mailto:p...@pidster.com]
Subject: Re: Security Constraint conflict
The logical union of 'no methods' and 'some methods' is 'some methods',
isn't it? But...
Yes, except the spec says the operation is *not* a union when
> From: Pid [mailto:p...@pidster.com]
> Subject: Re: Security Constraint conflict
>
> The logical union of 'no methods' and 'some methods' is 'some methods',
> isn't it? But...
Yes, except the spec says the operation is *not* a union when a con
On 21/09/2009 01:20, Caldarale, Charles R wrote:
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Security Constraint conflict
On 9/18/2009 9:47 PM, Bill Barker wrote:
I haven't checked the Servlet 3 spec, but with earlier versions,
the union process is to giv
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Security Constraint conflict
>
> On 9/18/2009 9:47 PM, Bill Barker wrote:
> > I haven't checked the Servlet 3 spec, but with earlier versions,
> > the union process is to give you the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill,
On 9/18/2009 9:47 PM, Bill Barker wrote:
> I haven't checked the Servlet 3 spec, but with earlier versions, the union
> process is to give you the *least* restrictive checking (i.e. you just have
> to pass one constraint to pass). And, yes, t
"Christopher Schultz" wrote in message
news:4ab3f5f1.5060...@christopherschultz.net...
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Peter,
>
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response. I've read through the example in 13.7.2 of
>> the spec
>
> Which versio
My bad - I was quoting the servlet 3.0 spec (usually the headings align)
I need to reread but it might be a bug. (I dont have the spec in front
of me) but IIRC it said something to the effect of using the url + the
HTTP method to get all applicable constraints. And then unioning them
together.
I was actually looking in the 3.0 spec (here:
http://jcp.org/aboutJava/communityprocess/pr/jsr315/index.html) but I
believe the same example is available in the 2.4 spec under 12.8.2.
It's the example under "combining constraints".
I can't figure out the unioning process other than maybe it's unio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter,
On 9/18/2009 4:34 PM, Peter Holcomb wrote:
> Thanks for your response. I've read through the example in 13.7.2 of
> the spec
Which version of the spec? I don't see a section 13.8 at all in either
2.4 or 2.5 of the spec. I see the heading "Com
>>
>> It might be easier to write a filter to implement the restriction that only
>> GET/POST/HEAD is allowed.
>>
>> -Tim
>>
>> Peter Holcomb wrote:
>>>
>>> We have a situation where we recently introduced a new security
>>> constr
esult in is unioning all the constraints together for one that passes
>
> It might be easier to write a filter to implement the restriction that only
> GET/POST/HEAD is allowed.
>
> -Tim
>
> Peter Holcomb wrote:
>>
>> We have a situation where we recently introduced
security
constraint into our configuration that has caused a conflict with our
previous constraint. Here's our current configuration:
Restrict access to XHTML pages
Restrict access to XHTML pages
*.xhtml
With no roles defined, no access granted
Prot
We have a situation where we recently introduced a new security
constraint into our configuration that has caused a conflict with our
previous constraint. Here's our current configuration:
Restrict access to XHTML pages
Restrict access to XHTML pages
*.xhtml
With no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 11:23 AM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> sf is expected to be used from within a w
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: security-constraint in conf/web.xml
>
> sf is expected to be used from within a web application, so
> it has to be deployed along with the webapp. So, the WAR file
> would have to be modified in th
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
From: Jurn Ho [mailto:j...@magicmonster.com]
Subject: Re: security-constraint in conf/web.xml
ok, is there an easy way to require authentication to access a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
>> From: Jurn Ho [mailto:j...@magicmonster.com]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> ok, is there an easy way to require authentication to acces
> From: Jurn Ho [mailto:j...@magicmonster.com]
> Subject: Re: security-constraint in conf/web.xml
>
> ok, is there an easy way to require authentication to access a
> particular webapp, without modifying the war file?
You can try using this:
http://securityfilter.sourceforge.net/
ok, is there an easy way to require authentication to access a
particular webapp, without modifying the war file?
Caldarale, Charles R wrote:
From: Jurn Ho [mailto:j...@magicmonster.com]
Subject: security-constraint in conf/web.xml
Is it possible to move this config into the conf/web.xml
> From: Jurn Ho [mailto:j...@magicmonster.com]
> Subject: security-constraint in conf/web.xml
>
> Is it possible to move this config into the conf/web.xml instead?
> I have tried this but the security-constraint affects other webapps.
Which is exactly what conf/web.xml is supp
Hello,
I've successfully added a security-constraint into the web.xml of a
webapp so the user has to use a login to use the webapp.
Is it possible to move this config into the conf/web.xml instead?
I have tried this but the security-constraint affects other webapps.
I've tried changi
, Caldarale, Charles R wrote:
>>>> From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: Request
>>>> not forwarded to login page with security-constraint after session
>>>> time-out
>>>>
>>>> The spec is clearer than that. The "*&quo
On 27.02.2009, at 17:38, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: Request
not forwarded to login page with security-constraint after session
time
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 2/26/2009 7:22 PM, Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Subject: Re: Request not forwarded to login page with
>> security-constraint after session time-out
>
>>> What
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 2/26/2009 5:39 PM, Caldarale, Charles R wrote:
>> From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: Request
>> not forwarded to login page with security-constraint after session
>> time-out
>>
>> The
Marcel Stör wrote:
[...]
3. Why does it seem to be relevant that the request where
auto-forwarding-to-login-after-session-timeout fails is an AJAX request?
That was my last thought last night before I fell asleep...and my first this
morning when I woke up. And then the scales fell from my eyes
1 - 100 of 182 matches
Mail list logo
